Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My computer has become infected with Manson/Liser

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My computer has become infected with Manson/Liser

Unread postby jinr » June 29th, 2009, 8:13 am

Before I get to the description of the problem itself, I'd just like to comment. I've looked around the forum a bit, and I think it's amazing how you people take out of your own free time to help others, with no kind of payment or anything. The world would be a neat place if more people were like you :)

-- DESCRIPTION OF THE PROBLEM --

Last night (June 28) I was browsing around the internet, when a bunch of windows popped up, including some IE windows (I use Firefox) targeting URLs and IPs I never heard of. Then CPU usage went up to 100%, and a fake malware scanner type window came up saying 'You have been infected with malware! Performing system scan ..'. I quickly looked at task manager and noticed some new processes (Like 181223243, ysASuqwejh, and a bunch of SVCHOSTs). I also noticed 'kthn' and 'liser' running. Then the system hung. I restarted it, and when I did the Desktop was all black, with red text on it saying 'Your computer is infected with spyware! Please install an Antispyware program right away!' (This isn't verbatum what it said, but that's the gist of it.) The fake spyware removal window was there again, and there were also fake security alerts saying the same thing.

-- WHAT I'VE DONE SINCE --

I tried to run MBAM, but it wouldn't open. I restarted in safe mode, tried running it again, and it still didn't open. I ran HJT, and it produced a log containing alot of references to 'C:\Program Files\Manson\liser.exe' and 'liser.dll', and the rest of those things I saw in taskmanager before. I eventually figured out that if you rename MBAM, you can run it successfully. (Previously, it would appear in taskmanager as MBAM.exe, but no UI would show up. You could also start multiple instances without getting 'Mbam is already running').

When I tried logging in normally, or in safe mode with networking, it would freeze at the 'Loading windows..' screen before the Logon screen. It booted into safe mode OK though.

I got MBAM working, finally. Then, using FileASSASIN, I deleted kthn.exe (Which was in system32), and the liser.exe & dlls. I created folders with the same names in all of their places so that they couldn't come back. When I restarted after this, the desktop was back to normal, and the fake popups were gone. However, after looking in taskmanager, you could see a bunch of processes (debug.exe, a fake lsass.exe, a fake win.exe, few others). Those seem to be hiding in Local Settings\Temp. I'm worried that these programs would try to keylog me/steal passwords. I did a few MBAM scans, and it identifies some of the files as keyloggers, but doesn't find or remove them all (There are some others), and I haven't got anything else to completely remove it either.

Also, I've looked at alot of other topics on malware forums mentioning liser.exe, and they all seem to be within the month. Would it be safe to assume this is a new thing, or new variation of something?

I've taken a HJT log just before making this post, and haven't messed with the machine since, so it should be as up to date as possible.

-- HJT LOG --

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:47 AM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\sdjee3inf.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\sdjee3inf.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [kthn] C:\WINDOWS\system32\kthn.exe \u
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [kell] c:\program Files\Manson\liser.exe
O4 - HKCU\..\Run: [Jennifer] C:\Documents and Settings\Jennifer\Jennifer.exe /i
O4 - HKCU\..\Run: [] C:\DOCUME~1\Jennifer\LOCALS~1\Temp\v0v670c8lj.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Jennifer\LOCALS~1\Temp\v0v670c8lj.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Jennifer\LOCALS~1\Temp\services.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\18107921.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\18107921.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: njrvev.dll,c:\progra~1\Manson\liser.dll
O20 - Winlogon Notify: geBTNGWQ - geBTNGWQ.dll (file missing)
O21 - SSODL: ccwGfsIMG - {34B80128-9E12-AB82-C463-42D063F20366} - C:\WINDOWS\system32\vzplflr.dll
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\sdjee3inf.dll (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: XNKUJWZ - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\Jennifer\LOCALS~1\Temp\XNKUJWZ.exe
O24 - Desktop Component 0: (no name) - http://runehq.com/image/style/blue/header01.jpg

--
End of file - 9299 bytes

Thank you all in advance :)
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am
Advertisement
Register to Remove

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 2nd, 2009, 7:48 am

Hello... Welcome to the forum.
Sorry for the delay in responding, the forum is very busy.

My name is Wingman, and I'll be helping you with your malware problems.
HijackThis logs can take a while to research, so please be patient.

I am currently under the guidance of the MRU teachers, everything I post to you, has been reviewed by them.
This additional review process can add some extra time to my responses...but not too much
.
;)

Before we begin...please note the following important guidelines.
  1. The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. Please, if you have questions about something...ASK, don't guess or assume.
  3. Please -only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  4. Please -only- reply to this thread, do not start another!
  5. Please do not run any other fix/removal tools unless instructed to do so!
  6. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  7. Please, continue responding, until I give you the "All Clean"

If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.
In the meantime... please perform the following steps.

Step 1.
HJT - Uninstall Manager Log
    Please run HijackThis
      If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  1. From the Main Menu...Press the "Open the Misc Tools"...button.
  2. Press the "Open Uninstall Manager... button.
  3. Press only the Save List...button.
  4. Press the "Save" button. The file "uninstall_list.txt" will be saved in your HJT folder.
  5. Copy and paste the contents of "uninstall_list.txt' in your next reply.

Step 2.
Please include in your next reply:
  1. HJT uninstall_list.txt file contents
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 2nd, 2009, 11:16 pm

Thanks for your help, Wingman (And by extension your teachers :) )
I'm only running the infected computer in safe mode right now, so I'm getting the files by transerfing them with a USB drive. Is there any potential danger to this? (I've already created an autorun.inf folder so that it should be unable to use the drive to automatically infect other computers..)

Here is the file:

7-Zip 4.65
Ad-Aware SE Personal
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
AoA Audio Extractor 1.0
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Toolbar 4.0
AOL You've Got Pictures Screensaver
Apple Software Update
Audacity 1.2.6
CCleaner (remove only)
CCScore
Citrix Presentation Server Client
Click to DVD 2.0.03 Menu Data
Click to DVD 2.4.10
CONNECT
Critical Update for Windows Media Player 11 (KB959772)
Digital Voice Editor 3
DVC5.0 Driver
DVgate Plus
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
Google Toolbar for Internet Explorer
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HLPIndex
HLPRFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Image Converter 2
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD for VAIO
InterVideo WinDVDX
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 13
Kodak EasyShare software
KSU
LAN-Express AS IEEE 802.11 Wireless LAN
Lexmark Z600 Series
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MathPlayer
mCore
mDriver
MediaCoder 0.6.1
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Outlook Connector
Microsoft Office Standard Edition 2003
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIRC
mMHouse
MoodLogic
Mozilla Firefox (3.0.11)
mPfMgr
mProSafe
MSN
MSN Encarta Plus Support Files
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
Netscape Internet Service Setup
Notifier
NVIDIA Drivers
OpenMG Secure Module 4.2.00
OTtBPSDK
PC Camera
PCDADDIN
PCDHELP
Quicken 2005
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Rhapsody Player Engine
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
Samsung Camcorder USB-D03 Capture Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Setting Utility Series
SFR
SHASTA
Sibelius Scorch (ActiveX Only)
SKIN0001
SKINXSDK
SonicStage 3.2
SonicStage Mastering Studio Audio Filter Custom Preset
Sony Certificate PCH
Sony MP4 Shared Library
Sony USB Mouse
Sony Utilities DLL
Sony Video Shared Library
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VAIO Central
VAIO Entertainment Platform
VAIO Event Service
VAIO Launcher
VAIO Light Flo Wallpaper
VAIO Long Battery Life Wallpaper
VAIO Media 4.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 4.2
VAIO Media Redistribution 4.0
VAIO Media Registration Tool 4.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Scene SD Wide Contents
VAIO Registration
VAIO Support Central
VAIO Survey Standalone
VAIO TV Tuner Library 1.4
VAIO Update 2
VAIO Wireless Utility
VAIO Zone
VAIO Zone Remote Commander
Ventrilo Client
Veoh Video Uploader
Veoh Web Player
Verizon Online Help and Support
Viewpoint Media Player
VPRINTOL
Windows Backup Utility
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB886612 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
Yahoo! Browser Services
Yahoo! Internet Mail

Thanks :)
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 3rd, 2009, 7:29 pm

Hi jinr,
Reading your synopsis of your problem and the steps taken by you so far... You have run MBAM, File Assassin and also deleted and added files in your effort to resolve the problems.
Please be advised... do not make any further changes or run any other "fix" programs or scans, unless directed to do so by me. Adding additional variables to the situation,
will only delay and complicate the analysis. Thanks.

Please read these instructions carefully, before executing and perform the following steps in the order given.
lf you have any problems executing these instructions, <STOP> do not proceed, post back with the problem.

I know you are using a USB drive to download files... do that for the following download... make sure it is renamed before saving to the "infected" computer.

Step 1.
Please download ComboFix.exe... © Copyrighted to sUBs
You must rename it before saving it. (See reference images below). Save it to your desktop.
DO NOT RUN YET!!
Alternate download sites: forospyware.com or geekstogo.com.

Image

Image
--------------------------------------------------------------------

Step 2.
Fix HijackThis entries
  1. Run HijackThis
    • If you are on the Main Menu page... Click "Do a system scan only"
    • If you are on the "scan & fix stuff" page... Press the Scan...button.
  2. When the scan finishes...Place a check mark next to the following entries:
      *Only check those items listed below *
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
      O2 - BHO: C:\WINDOWS\system32\sdjee3inf.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\sdjee3inf.dll (file missing)
      O4 - HKLM\..\Run: [kthn] C:\WINDOWS\system32\kthn.exe \u[/color]
      O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
      O4 - HKCU\..\Run: [kell] c:\program Files\Manson\liser.exe
      O4 - HKCU\..\Run: [Jennifer] C:\Documents and Settings\Jennifer\Jennifer.exe /i <<===== if this is a process you created or need, do not check it
      O4 - HKCU\..\Run: [] C:\DOCUME~1\Jennifer\LOCALS~1\Temp\v0v670c8lj.exe
      O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Jennifer\LOCALS~1\Temp\v0v670c8lj.exe
      O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Jennifer\LOCALS~1\Temp\services.exe
      O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
      O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
      O20 - AppInit_DLLs: njrvev.dll,c:\progra~1\Manson\liser.dll
      O20 - Winlogon Notify: geBTNGWQ - geBTNGWQ.dll (file missing)
      O21 - SSODL: ccwGfsIMG - {34B80128-9E12-AB82-C463-42D063F20366} - C:\WINDOWS\system32\vzplflr.dll
      O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\sdjee3inf.dll (file missing)
  3. After checking these items... CLOSE ALL open windows except HijackThis
  4. Click the Fix Checked ...button...to remove the entries you checked.
  5. Choose YES...when prompted to fix the selected items.
  6. Once it has fixed them, close/exit HijackThis.

Step 3.
Stop - Disable - Delete services
  1. Open Notepad (or some other text editor)
  2. Please copy (Ctrl+C) and paste (Ctrl+V) the following text into Notepad.
    Code: Select all
    @echo off
    sc stop XNKUJWZ
    sc config XNKUJWZ start= disabled 
    sc delete XNKUJWZ
    del %0
    exit
  3. Save the text file ... name = "FixServices.bat" (including quotation marks).
  4. Save file type... = All files...file will not work otherwise.
    Please save it to C:\ drive (your root drive)
  5. Double click "FixServices.bat"...to execute. A window will open and close... this is normal.

Now reboot your computer to NORMAL MODE.

Step 4.
ComboFix
This program is a powerful tool, intended by its creator, to be "used under the guidance and supervision of trained malware removers", NOT for general public use.
Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.
  1. Double click on Combo-Fix.exe & follow the prompts.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!

    ComboFix will disconnect you from the Internet and also change your clock settings... this is normal, so don't worry. They will be restored when finished.
    The ComboFix window data will be changing with various "Stages"... completed. When finished the screen will show that a log is being created.
    Your desktop may disappear... this is normal and will be restored.
    ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
    When finished... Notepad will open ... ComboxFix will produce a log file called "log.txt".
  2. Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Step 5.
Delete Files - Folders
We need to perform some manual clean up.
  1. Right click on the Start...button... Select Explore...from the menu.
  2. Navigate to and find the following folder: if found, delete it.
    Code: Select all
    c:\program Files\Manson\     <==== delete this entire folder  
    
  3. Please post back with the results of these actions, in your next reply.

Step 6.
Malwarebytes' Anti-Malware
  1. Please start MBAM (Malwarebytes' Anti-Malware) again.
  2. Press the Update tab.. then press the Check for Updates...button.
    Once any updates are installed or you get the message that you are up-to-date
  3. Press the Scanner tab...
  4. Select QUICK SCAN... then press the Scan...button.
    When the scan finishes...
  5. Check everything to be removed, except the System Volume entries If any listed, we'll take care of them later.
  6. Let MBAM remove what it can... if there are files to be deleted on reboot... please reboot the machine so MBAM can finish the removal.
  7. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  8. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  9. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Step 7.
Post a New HJT Log
  1. Start HijackThis.
    If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  2. From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
    When completed...Notepad will open with the new "hijackthis.log" file contents.
  3. Copy/paste the entire (hijackthis.log) file contents in your next reply.

Step 8.
Please include in your next reply:
    Let me know if you had any problems performing these instructions.
  1. Combo-Fix log file contents.
  2. Current MBAM log file contents.
  3. New HJT log
  4. Tell me how your computer is behaving.
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 3rd, 2009, 11:31 pm

The computer seems to be working alot better - IE has stopped opening, when I tried to update MBAM earlier, it was unable to connect to malwarebytes.org, it was able to this time, and I noticed 'folder options' had dissapeared from the explorer Tools menu, and it's back now. (Also the Jennifer.exe program was made by the virus too and is gone)

Combofix log:

ComboFix 09-07-03.03 - Jennifer 07/03/2009 22:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.299 [GMT -4:00]
Running from: c:\documents and settings\Jennifer\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jennifer\Application Data\wiaserva.log
c:\documents and settings\Jennifer\dcduasm.exe
c:\documents and settings\Jennifer\Jennifer.exe
c:\documents and settings\Jennifer\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\Install.txt
c:\windows\Installer\121228.msp
c:\windows\Installer\121265.msp
c:\windows\Installer\1212a2.msp
c:\windows\Installer\156d5.msp
c:\windows\Installer\15712.msp
c:\windows\Installer\1574f.msp
c:\windows\Installer\1a571.msi
c:\windows\Installer\1da7c.msp
c:\windows\Installer\1eb55.msp
c:\windows\Installer\3761b.msp
c:\windows\Installer\37658.msp
c:\windows\Installer\3765a.msp
c:\windows\Installer\3765c.msp
c:\windows\Installer\3765e.msp
c:\windows\Installer\64b25.msp
c:\windows\Installer\WinRMSrv.msi
c:\windows\setup.exe
c:\windows\system32\18107921.dll
c:\windows\system32\drivers\UACawviwewbsbxjccv.sys
c:\windows\system32\eylhurmx.ini
c:\windows\system32\glnwueea.ini
c:\windows\system32\Install.txt
c:\windows\system32\ppAHkUvw.ini
c:\windows\system32\ppAHkUvw.ini2
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClmxriwgqghcnhdlrk.log
c:\windows\system32\UACmnuemwpejjuxeir.dll
c:\windows\system32\UACmwjjnfrwhbmxfmx.dll
c:\windows\system32\UACpypiqqowksgvxdk.dll
c:\windows\system32\UACrpmiqtdyxgsfkwh.dll
c:\windows\system32\UACrqvewifxyjcjyqo.db
c:\windows\system32\uactmp.db
c:\windows\system32\UACtukylvrecmqnycg.dat
c:\windows\system32\UACwrkjxmjafxneirv.dll
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\wiawow32.sys

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-06-29 06:37 . 2009-06-29 06:37 -------- d-----w- c:\windows\system32\kthn.exe
2009-06-29 03:48 . 2008-04-13 23:12 14336 ----a-w- c:\windows\system32\svchost.exe
2009-06-29 01:38 . 2009-06-29 01:38 118784 ----a-w- c:\windows\system32\sgcag1j0egbr.dll
2009-06-29 01:38 . 2009-06-29 01:37 80191 ----a-w- c:\windows\system32\qgceg1j0egbr.exe
2009-06-29 01:37 . 2009-06-29 06:20 -------- d-sh--r- c:\program files\Manson
2009-06-21 02:36 . 2009-06-21 02:36 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 05:53 . 2008-12-29 10:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-31 04:39 . 2009-05-31 03:51 -------- d-----w- c:\documents and settings\Jennifer\Application Data\TeamViewer
2009-05-08 03:56 . 2009-04-18 23:50 -------- d-----w- c:\documents and settings\Jennifer\Application Data\U3
2009-05-07 15:32 . 2005-07-13 17:55 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-07-13 17:55 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-07-13 17:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2005-07-13 17:55 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-07-13 17:55 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-13 22:57 . 2009-01-30 04:50 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-07 16:52 . 2009-04-07 16:53 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-07 16:51 . 2009-04-07 16:51 152576 ----a-w- c:\documents and settings\Jennifer\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-06 19:32 . 2008-12-29 10:58 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-29 10:58 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-13 17:56 . 2003-11-08 00:21 114688 c:\program files\Apoint\bak\Apoint.exe

2005-07-13 20:35 . 2004-08-09 13:03 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2005-07-13 20:35 . 2004-08-09 13:03 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2005-07-13 20:27 . 2005-02-17 01:41 245760 c:\program files\Common Files\Sony Shared\TVTunerLib\bak\TVTLInstTool.exe

2007-07-20 19:21 . 2007-07-20 19:21 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2005-07-13 18:58 . 2005-04-29 21:56 45056 c:\program files\Realtek\InstallShield\bak\AzMixerSel.exe

2005-07-13 20:33 . 2004-02-20 21:12 32768 c:\program files\Sony\ISB Utility\bak\ISBMgr.exe

2005-07-23 00:11 . 2005-06-03 14:16 81920 c:\program files\Sony\SonicStage\bak\SsAAD.exe

2005-07-13 20:20 . 2005-05-15 12:51 184320 c:\program files\Sony\VAIO Power Management\bak\SPMgr.exe

2005-07-23 00:23 . 2005-01-31 17:10 192512 c:\program files\Sony\VAIO Zone Remote Commander\bak\AvRmtCtr.exe

2006-11-17 15:09 . 2006-06-23 16:33 438359 c:\program files\Verizon\SmartBridge\bak\MotiveSB.exe

2005-07-13 17:55 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-07-13 17:55 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2005-07-13 17:56 . 2007-01-13 14:47 163840 c:\windows\system32\bak\hkcmd.exe

2005-07-13 17:56 . 2007-01-13 14:46 135168 c:\windows\system32\bak\igfxpers.exe

2005-07-13 17:56 . 2007-01-13 14:47 131072 c:\windows\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Google Update"="c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-07 148888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ccwGfsIMG"= {34B80128-9E12-AB82-C463-42D063F20366} - c:\windows\system32\vzplflr.dll [2009-03-21 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Documents and Settings\\Jennifer\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [11/15/2008 10:15 PM 38604]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 10:23 PM 39048]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/29/2008 6:58 AM 38496]
S4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S4 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1718607297-4018761455-3513789977-1006.job
- c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 10:38]

2009-06-28 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-07-23 19:24]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
FF - ProfilePath - c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Jennifer/Desktop/todopage/todopage.htm
FF - plugin: c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 23:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1718607297-4018761455-3513789977-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-07-04 23:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 03:04

Pre-Run: 22,886,871,040 bytes free
Post-Run: 24,080,609,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /PAE

215 --- E O F --- 2009-06-10 17:27


Mbam log:

Malwarebytes' Anti-Malware 1.38
Database version: 2370
Windows 5.1.2600 Service Pack 3

7/3/2009 11:18:52 PM
mbam-log-2009-07-03 (23-18-52).txt

Scan type: Quick Scan
Objects scanned: 89469
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{34b80128-9e12-ab82-c463-42d063f20366} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ccwgfsimg (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Manson (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\Manson\liser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\Manson\liser.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\sgcag1j0egbr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\qgceg1j0egbr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vzplflr.dll (Trojan.Downloader) -> Delete on reboot.


Fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:39 PM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O24 - Desktop Component 0: (no name) - http://runehq.com/image/style/blue/header01.jpg

--
End of file - 7754 bytes
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 5th, 2009, 7:12 pm

Hi jinr,
Great job performing all of those steps. Seems like the effort has paid off. :)
Let's continue. Please read these instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
ComboFix - CFScript
This script is for this individual computer and user. Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    File::
    c:\windows\system32\kthn.exe
    c:\windows\system32\sgcag1j0egbr.dll
    c:\windows\system32\qgceg1j0egbr.exe
    c:\windows\system32\vzplflr.dll
    
    Folder::
    c:\program files\Manson
    c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "ccwGfsIMG"=-
    
  2. Save it to your desktop as CFScript.txt
  3. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  4. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.

Step 2.
No Anti-virus Software Installed!
Looking over your log ... there is NO evidence of anti-virus software installed.. This puts you at serious risk.
Anti-virus software will help detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others,
including trading partners and thereby spreading infection. Anti-virus software can scan the computer memory and disk drives for malicious code.
They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.
To protect your computer from infection...download a (free for personal use) anti-virus program from one these reliable vendors NOW!

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time.
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


Step 3.
Post a New HJT Log
  1. Start HijackThis.
    If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  2. From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
    When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Step 4.
Please include in your next reply:
  1. ComboFix log
  2. New HJT log
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 5th, 2009, 9:39 pm

I was using firefox on the infected computer to read this post, but after I closed it and ran combofix, when I tried to open it again it says Firefox is already running. (I looked under taskmanager and there was no firefox.exe)

Also, I installed the Avira, and it notified me that explorer.exe, services.exe, winlogon.exe and some others are all infected with a trojan.

Here are the logs:

ComboFix 09-07-03.03 - Jennifer 07/05/2009 20:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.241 [GMT -4:00]
Running from: c:\documents and settings\Jennifer\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Jennifer\Desktop\CFScript.txt.txt

FILE ::
"c:\windows\system32\kthn.exe"
"c:\windows\system32\qgceg1j0egbr.exe"
"c:\windows\system32\sgcag1j0egbr.dll"
"c:\windows\system32\vzplflr.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\blocklist.xml
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-06-26.json
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-06-27.json
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-06-28.json
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-07-03.json
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-07-05.json
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarks.html
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\cert_override.txt
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\cert8.db
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\chrome\userChrome-example.css
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\chrome\userContent-example.css
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\compatibility.ini
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\compreg.dat
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\content-prefs.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\cookies.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\downloads.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions.cache
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions.ini
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions.rdf
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\chrome.manifest
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\content\firefoxOverlay.xul
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\content\vsearchrecs_overlay.js
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\content\vvc_settings.xul
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\defaults\preferences\searchrecs.js
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\install.rdf
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\locale\en-US\vsr.dtd
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\locale\en-US\vsr.properties
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\compass_off.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\compass_on.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\family_filter_off.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\family_filter_on.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\feedback.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\help_icon.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_disabled.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_disabled_busy.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_enabled.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_enabled_busy.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\overlay.css
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\results_bg.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\send_icon.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\settings.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\supported_off_icon.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\supported_on_icon.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\veoh_disabled.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\veoh_enabled.png
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\veoh_logo_icon.gif
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\formhistory.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\key3.db
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\localstore.rdf
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\mimeTypes.rdf
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\minidumps\cookies.sqlite.backup
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\minidumps\d49af6b4-2f9d-4394-9ab6-990895683876.dmp
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\minidumps\d49af6b4-2f9d-4394-9ab6-990895683876.extra
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\permissions.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\persdict.dat
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\places.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\pluginreg.dat
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\prefs.js
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\prefs.js.BAK
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\search.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\secmod.db
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\signons3.txt
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\urlclassifierkey3.txt
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\webappsstore.sqlite
c:\documents and settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\xpti.dat

.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-04 02:58 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2009-07-04 02:58 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-06-29 06:37 . 2009-06-29 06:37 -------- d-----w- c:\windows\system32\kthn.exe
2009-06-29 03:48 . 2008-04-13 23:12 14336 ----a-w- c:\windows\system32\svchost.exe
2009-06-21 02:36 . 2009-06-21 02:36 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 03:12 . 2008-12-29 10:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 03:12 . 2009-01-30 04:50 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 15:27 . 2008-12-29 10:58 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-12-29 10:58 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-31 04:39 . 2009-05-31 03:51 -------- d-----w- c:\documents and settings\Jennifer\Application Data\TeamViewer
2009-05-08 03:56 . 2009-04-18 23:50 -------- d-----w- c:\documents and settings\Jennifer\Application Data\U3
2009-05-07 15:32 . 2005-07-13 17:55 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-07-13 17:55 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-07-13 17:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2005-07-13 17:55 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-07-13 17:55 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-07 16:52 . 2009-04-07 16:53 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-07 16:51 . 2009-04-07 16:51 152576 ----a-w- c:\documents and settings\Jennifer\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-04_03.00.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-13 18:14 . 2009-07-04 03:00 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-07-13 18:14 . 2009-07-04 02:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-07-13 18:14 . 2009-07-04 03:00 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-07-13 18:14 . 2009-07-04 02:37 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-13 17:56 . 2003-11-08 00:21 114688 c:\program files\Apoint\bak\Apoint.exe

2005-07-13 20:35 . 2004-08-09 13:03 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2005-07-13 20:35 . 2004-08-09 13:03 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2005-07-13 20:27 . 2005-02-17 01:41 245760 c:\program files\Common Files\Sony Shared\TVTunerLib\bak\TVTLInstTool.exe

2007-07-20 19:21 . 2007-07-20 19:21 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2005-07-13 18:58 . 2005-04-29 21:56 45056 c:\program files\Realtek\InstallShield\bak\AzMixerSel.exe

2005-07-13 20:33 . 2004-02-20 21:12 32768 c:\program files\Sony\ISB Utility\bak\ISBMgr.exe

2005-07-23 00:11 . 2005-06-03 14:16 81920 c:\program files\Sony\SonicStage\bak\SsAAD.exe

2005-07-13 20:20 . 2005-05-15 12:51 184320 c:\program files\Sony\VAIO Power Management\bak\SPMgr.exe

2005-07-23 00:23 . 2005-01-31 17:10 192512 c:\program files\Sony\VAIO Zone Remote Commander\bak\AvRmtCtr.exe

2006-11-17 15:09 . 2006-06-23 16:33 438359 c:\program files\Verizon\SmartBridge\bak\MotiveSB.exe

2005-07-13 17:55 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2005-07-13 17:55 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2005-07-13 17:56 . 2007-01-13 14:47 163840 c:\windows\system32\bak\hkcmd.exe

2005-07-13 17:56 . 2007-01-13 14:46 135168 c:\windows\system32\bak\igfxpers.exe

2005-07-13 17:56 . 2007-01-13 14:47 131072 c:\windows\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Google Update"="c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-29 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-07 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.5.0_09\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Documents and Settings\\Jennifer\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [11/15/2008 10:15 PM 38604]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [11/28/2002 10:23 PM 39048]
S4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S4 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1718607297-4018761455-3513789977-1006Core.job
- c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 10:38]

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1718607297-4018761455-3513789977-1006UA.job
- c:\documents and settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 10:38]

2009-07-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-07-23 19:24]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1718607297-4018761455-3513789977-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-07-06 20:57
ComboFix-quarantined-files.txt 2009-07-06 00:57
ComboFix2.txt 2009-07-04 03:04

Pre-Run: 24,063,107,072 bytes free
Post-Run: 24,044,204,032 bytes free

215 --- E O F --- 2009-06-10 17:27


--- HIJACKTHIS LOG ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:14 PM, on 7/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jennifer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O24 - Desktop Component 0: (no name) - http://runehq.com/image/style/blue/header01.jpg

--
End of file - 8376 bytes

Thanks again for all of your help
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 6th, 2009, 1:57 pm

Hi jinr,
Lets see if we can figure out what's going on with FireFox and I'd like more information about what Avira AV found.
Please read these instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
ComboFix - CFScript
ComboFix puts the files it removed in a special folder, in case there is a need for them, before CombiFix deletes the folder.
ComboFix text file contents
  1. Right click the Start button... Select Explore...from the menu.
  2. Navigate to and find the following file :
    Code: Select all
    C:\Qoobox\ComboFix-quarantined-files.txt
    
  3. Please copy and paste the contents of "CombFix-quarantined-files.txt" in your next reply.

Step 2.
Avira Antivirus report
I would like to see exactly what Avira is reporting.
Please look at the Avira configuration, to see where the saved report would be located... if found please copy/paste
the contents in your next reply...
If you can not locate the report... then please run a scan with Avira and post the results of the scan, in your next reply.
Let me know if the posted results are from the original or from a new scan.

Step 3.
Please include in your next reply:
  1. ComboFix-quarantined-files.txt contents
  2. Original Avira report or new scan results
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 6th, 2009, 2:37 pm

Here is the quarantine file:

2009-07-06 00:48:50 . 2009-07-06 00:48:59 358 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2009-07-06 00:48:06 . 2009-07-06 00:48:06 10,825 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\localstore.rdf.vir
2009-07-06 00:48:05 . 2009-07-06 00:48:05 21,600 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-07-05.json.vir
2009-07-06 00:46:08 . 2009-07-06 00:46:08 18,468 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\prefs.js.vir
2009-07-04 03:50:04 . 2009-07-04 03:50:05 21,600 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-07-03.json.vir
2009-07-04 03:03:45 . 2009-06-29 01:47:31 18,468 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\prefs.js.BAK.vir
2009-07-04 02:57:00 . 2009-07-04 02:57:00 816 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_SOPIDKC.reg.dat
2009-07-04 02:57:00 . 2009-07-04 02:57:00 806 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MSNCACHE.reg.dat
2009-07-04 02:56:55 . 2009-07-06 00:53:23 12,466 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-07-04 02:41:41 . 2009-07-04 02:41:41 1,264 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_UACd.sys.reg.dat
2009-07-04 02:38:20 . 2009-07-06 00:47:23 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-06-29 06:51:21 . 2009-06-29 06:51:21 1 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\oashdihasidhasuidhiasdhiashdiuasdhasd.vir
2009-06-29 01:42:47 . 2009-06-29 05:50:44 3,976,714 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uactmp.db.vir
2009-06-29 01:38:02 . 2009-06-29 01:38:03 139,264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\18107921.dll.vir
2009-06-29 01:37:56 . 2009-06-29 01:37:55 21,675 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Jennifer.exe.vir
2009-06-29 01:37:54 . 2009-06-29 01:37:48 29,184 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\dcduasm.exe.vir
2009-06-29 01:37:52 . 2009-06-29 06:50:48 4 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\wiaserva.log.vir
2009-06-29 01:37:21 . 2009-06-29 01:37:21 30,208 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrpmiqtdyxgsfkwh.dll.vir
2009-06-29 01:37:15 . 2009-06-29 01:37:19 1,110,399 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrqvewifxyjcjyqo.db.vir
2009-06-29 01:37:12 . 2009-07-04 02:40:15 19,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwrkjxmjafxneirv.dll.vir
2009-06-29 01:37:12 . 2009-07-04 02:40:15 18,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmnuemwpejjuxeir.dll.vir
2009-06-29 01:37:10 . 2009-07-04 02:40:14 310 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtukylvrecmqnycg.dat.vir
2009-06-29 01:37:09 . 2009-07-04 02:40:12 6,325 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\uacinit.dll.vir
2009-06-29 01:37:07 . 2009-07-04 02:40:11 67,072 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmwjjnfrwhbmxfmx.dll.vir
2009-06-29 01:36:58 . 2009-07-04 02:40:14 28,672 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpypiqqowksgvxdk.dll.vir
2009-06-29 01:36:55 . 2009-07-04 02:40:15 56,320 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACawviwewbsbxjccv.sys.vir
2009-06-28 15:13:11 . 2009-06-28 15:13:12 21,512 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-06-28.json.vir
2009-06-27 14:58:55 . 2009-06-27 14:58:55 21,512 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-06-27.json.vir
2009-06-26 07:00:25 . 2009-06-26 07:00:25 21,512 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarkbackups\bookmarks-2009-06-26.json.vir
2009-06-12 04:42:21 . 2009-06-12 04:42:21 15,020 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\mimeTypes.rdf.vir
2009-06-12 03:16:29 . 2009-06-12 03:16:29 4,523 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions.rdf.vir
2009-06-12 03:16:29 . 2009-06-12 03:16:29 220 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions.ini.vir
2009-06-12 03:16:29 . 2009-06-12 03:16:29 478 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions.cache.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 970 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\compass_on.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 170 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\chrome.manifest.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 98 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\family_filter_off.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 15,751 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_enabled.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 3,258 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\content\firefoxOverlay.xul.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 153 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\defaults\preferences\searchrecs.js.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 158 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\locale\en-US\vsr.dtd.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 338 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\family_filter_on.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 3,765 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_disabled_busy.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 627 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\settings.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 4,326 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\content\vvc_settings.xul.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 1,766 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\overlay.css.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 1,017 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\send_icon.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 354 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\supported_off_icon.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 4,561 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\veoh_disabled.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 1,067 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\veoh_logo_icon.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 1,150 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\install.rdf.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 1,017 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\help_icon.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 6,479 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_disabled.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 354 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\results_bg.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 364 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\supported_on_icon.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 7,461 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\veoh_enabled.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 83 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\locale\en-US\vsr.properties.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 967 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\compass_off.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 947 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\feedback.gif.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 11,932 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\skin\logo_enabled_busy.png.vir
2009-06-08 19:36:16 . 2009-05-15 14:59:34 46,423 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\extensions\searchrecs@veoh.com\content\vsearchrecs_overlay.js.vir
2009-05-31 05:26:56 . 2009-05-31 05:26:56 2,227 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\cert_override.txt.vir
2009-04-07 16:38:39 . 2009-05-06 14:02:52 6,144 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\webappsstore.sqlite.vir
2009-03-17 07:52:03 . 2009-03-17 07:52:03 376 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\minidumps\d49af6b4-2f9d-4394-9ab6-990895683876.extra.vir
2009-03-17 07:51:59 . 2009-03-17 07:52:03 85,128 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\minidumps\d49af6b4-2f9d-4394-9ab6-990895683876.dmp.vir
2009-02-14 18:38:10 . 2009-02-15 10:42:18 17 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\persdict.dat.vir
2008-12-29 07:34:35 . 2008-12-29 07:34:38 1,306,974 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\eylhurmx.ini.vir
2008-12-29 06:21:09 . 2008-12-29 06:21:14 1,306,974 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\glnwueea.ini.vir
2008-12-29 06:19:03 . 2008-12-29 07:20:15 711,949 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ppAHkUvw.ini2.vir
2008-12-29 06:19:02 . 2008-12-29 07:23:03 712,856 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ppAHkUvw.ini.vir
2008-12-22 20:07:01 . 2009-06-28 20:47:03 2,375 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\blocklist.xml.vir
2008-12-18 05:17:23 . 2008-12-18 05:17:23 8 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\signons3.txt.vir
2008-12-17 11:56:41 . 2009-07-06 00:41:27 154 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\urlclassifierkey3.txt.vir
2008-12-17 11:55:20 . 2009-07-04 03:48:11 13,226 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\pluginreg.dat.vir
2008-12-17 11:55:00 . 2009-06-28 01:14:43 56,320 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\downloads.sqlite.vir
2008-12-17 11:54:45 . 2009-04-14 02:29:13 7,168 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\content-prefs.sqlite.vir
2008-12-17 11:54:44 . 2009-07-06 00:48:06 16,384 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\key3.db.vir
2008-12-17 11:54:44 . 2009-07-06 00:48:06 147,456 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\cert8.db.vir
2008-12-17 11:54:43 . 2008-12-17 11:54:43 16,384 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\secmod.db.vir
2008-12-17 11:54:41 . 2009-04-22 18:15:29 4,096 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\formhistory.sqlite.vir
2008-12-17 11:54:41 . 2008-12-17 11:54:41 2,048 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\search.sqlite.vir
2008-12-17 11:53:41 . 2009-07-06 00:48:02 43,581,440 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\places.sqlite.vir
2008-12-17 11:53:29 . 2009-07-06 00:48:06 590,848 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\cookies.sqlite.vir
2008-12-17 11:53:29 . 2009-02-14 03:57:52 197,632 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\minidumps\cookies.sqlite.backup.vir
2008-12-17 11:53:29 . 2009-03-21 00:08:31 2,048 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\permissions.sqlite.vir
2008-12-17 11:53:11 . 2009-06-12 03:16:33 143,302 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\compreg.dat.vir
2008-12-17 11:53:10 . 2009-06-12 03:16:33 96,354 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\xpti.dat.vir
2008-12-17 11:53:10 . 2009-06-12 03:16:13 180 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\compatibility.ini.vir
2008-12-17 11:53:10 . 2008-12-02 08:04:40 663 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\chrome\userContent-example.css.vir
2008-12-17 11:53:10 . 2008-12-02 08:04:40 1,078 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\chrome\userChrome-example.css.vir
2008-12-17 11:53:10 . 2008-12-02 08:04:40 7,139 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Application Data\Mozilla\Firefox\Profiles\l0yquby2.default\bookmarks.html.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\121228.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\121265.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1212a2.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\156d5.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\15712.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1574f.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1da7c.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1eb55.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3761b.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\37658.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3765a.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3765c.msp.vir
2005-09-24 06:01:54 . 2005-09-24 06:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\3765e.msp.vir
2005-09-24 05:01:54 . 2005-09-24 05:01:54 10,083,840 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\64b25.msp.vir
2005-07-13 20:47:09 . 2005-07-13 20:47:09 333,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\1a571.msi.vir
2005-07-13 18:40:31 . 2003-07-24 19:51:23 111,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\setup.exe.vir
2005-07-13 17:55:30 . 2008-04-14 00:12:36 13,824 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir
2004-08-11 09:01:18 . 2004-08-11 09:01:18 7,314,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\WinRMSrv.msi.vir
2004-08-04 12:00:00 . 2004-08-04 12:00:00 264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Install.txt.vir
2004-08-04 12:00:00 . 2004-08-04 12:00:00 264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Install.txt.vir
2004-08-04 12:00:00 . 2004-08-04 12:00:00 65,536 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir

Here is the results of a scan done by Avira:



Avira AntiVir Personal
Report file date: Sunday, July 05, 2009 23:32

Scanning for 1448372 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 1ECA66A679AB494

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 01:29:46
ANTIVIR2.VDF : 7.1.4.173 306688 Bytes 7/2/2009 01:29:49
ANTIVIR3.VDF : 7.1.4.182 52224 Bytes 7/5/2009 01:29:50
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/6/2009 01:30:05
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 16:02:01
AERDL.DLL : 8.1.2.2 438642 Bytes 7/6/2009 01:30:04
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/6/2009 01:30:01
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/6/2009 01:30:00
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/6/2009 01:29:52
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/6/2009 01:29:51
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 21:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, July 05, 2009 23:32

Starting search for hidden objects.
'53792' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'HijackThis.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'cmd.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\explorer.exe'
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'veohwebplayer.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\lsass.exe'
Scan process 'services.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\services.exe'
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\winlogon.exe'
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan

The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP357.tmp\aspapp\ocpinst.exe
[0] Archive type: NSIS
--> [UnknownDir]
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\All Users\Application Data\AOL Downloads\AOL_OpenRide_1.23.16.1\comps\acscore.exe
[DETECTION] Is the TR/Agent.1436664 Trojan

Beginning disinfection:
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING] The file could not be deleted!
[NOTE] Attempting to perform action using the ARK library.
C:\Documents and Settings\All Users\Application Data\AOL Downloads\AOL_OpenRide_1.23.16.1\comps\acscore.exe
[DETECTION] Is the TR/Agent.1436664 Trojan
[NOTE] The file was moved to '4ac532cf.qua'!


End of the scan: Monday, July 06, 2009 13:20
Used time: 13:31:39 Hour(s)

The scan has been canceled!

1523 Scanned directories
144642 Files were scanned
7 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
144633 Files not concerned
1091 Archives were scanned
6 Warnings
5 Notes
53792 Objects were scanned with rootkit scan
0 Hidden objects were found
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 6th, 2009, 3:54 pm

Sorry, it seems the last Avira scan was cut off a bit. I ran a new scan, here are the results.



Avira AntiVir Personal
Report file date: Monday, July 06, 2009 14:55

Scanning for 1448372 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : 1ECA66A679AB494

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 14:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 01:29:46
ANTIVIR2.VDF : 7.1.4.173 306688 Bytes 7/2/2009 01:29:49
ANTIVIR3.VDF : 7.1.4.182 52224 Bytes 7/5/2009 01:29:50
Engineversion : 8.2.0.204
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 16:52:04
AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/6/2009 01:30:05
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 16:02:01
AERDL.DLL : 8.1.2.2 438642 Bytes 7/6/2009 01:30:04
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 21:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/6/2009 01:30:01
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/6/2009 01:30:00
AEHELP.DLL : 8.1.3.6 205174 Bytes 7/6/2009 01:29:52
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/6/2009 01:29:51
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 21:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, July 06, 2009 14:55

Starting search for hidden objects.
'53821' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'veohwebplayer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\Explorer.EXE'
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\lsass.exe'
Scan process 'services.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\services.exe'
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\system32\winlogon.exe'
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

35 processes with 35 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan

The registry was scanned ( '60' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP357.tmp\aspapp\ocpinst.exe
[0] Archive type: NSIS
--> [UnknownDir]
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\MSN Messenger\msimg32.dll
[DETECTION] Contains recognition pattern of the ADSPY/FunWeb adware or spyware
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\dcduasm.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Jennifer.exe.vir
[DETECTION] Is the TR/Rabbit.JU Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmnuemwpejjuxeir.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmwjjnfrwhbmxfmx.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpypiqqowksgvxdk.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrpmiqtdyxgsfkwh.dll.vir
[DETECTION] Is the TR/TDss.aebu Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\uactmp.db.vir
[DETECTION] Contains HEUR/HTML.Malware suspicious code
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwrkjxmjafxneirv.dll.vir
[DETECTION] Is the TR/TDss.adzz Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACawviwewbsbxjccv.sys.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101425.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101430.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.21845.K Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101432.exe
[0] Archive type: NSIS
--> [PluginsDir]/utility.dll
[DETECTION] Is the TR/StartPage.HMI Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148901.sys
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148902.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148903.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148904.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148905.dll
[DETECTION] Is the TR/TDss.adzz Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148906.dll
[DETECTION] Is the TR/TDss.aebu Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148936.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148937.exe
[DETECTION] Is the TR/Rabbit.JU Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148946.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148947.sys
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149089.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149090.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP791\A0149178.exe
[DETECTION] Is the TR/Agent.1436664 Trojan
C:\WINDOWS\explorer.exe
[DETECTION] Is the TR/Patched.AA.522 Trojan
C:\WINDOWS\system32\lsass.exe
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\system32\services.exe
[DETECTION] Is the TR/Patched.Gen Trojan
C:\WINDOWS\system32\winlogon.exe
[DETECTION] Is the TR/Patched.AA.546 Trojan

Beginning disinfection:
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan
[WARNING] The file was ignored!
C:\WINDOWS\Explorer.EXE
[DETECTION] Is the TR/Patched.AA.522 Trojan
[WARNING] The file was ignored!
C:\Program Files\MSN Messenger\msimg32.dll
[DETECTION] Contains recognition pattern of the ADSPY/FunWeb adware or spyware
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\dcduasm.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\Documents and Settings\Jennifer\Jennifer.exe.vir
[DETECTION] Is the TR/Rabbit.JU Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmnuemwpejjuxeir.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmwjjnfrwhbmxfmx.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpypiqqowksgvxdk.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrpmiqtdyxgsfkwh.dll.vir
[DETECTION] Is the TR/TDss.aebu Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\uactmp.db.vir
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwrkjxmjafxneirv.dll.vir
[DETECTION] Is the TR/TDss.adzz Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACawviwewbsbxjccv.sys.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
[WARNING] The file was ignored!
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101425.exe
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101430.exe
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP745\A0101432.exe
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148901.sys
[DETECTION] Contains recognition pattern of the RKIT/TDss.Y.23 root kit
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148902.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148903.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148904.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148905.dll
[DETECTION] Is the TR/TDss.adzz Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148906.dll
[DETECTION] Is the TR/TDss.aebu Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148936.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148937.exe
[DETECTION] Is the TR/Rabbit.JU Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148946.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0148947.sys
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149089.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP789\A0149090.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file was ignored!
C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP791\A0149178.exe
[DETECTION] Is the TR/Agent.1436664 Trojan
[WARNING] The file was ignored!
C:\WINDOWS\explorer.exe
[DETECTION] Is the TR/Patched.AA.522 Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\lsass.exe
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\services.exe
[DETECTION] Is the TR/Patched.Gen Trojan
[WARNING] The file was ignored!
C:\WINDOWS\system32\winlogon.exe
[DETECTION] Is the TR/Patched.AA.546 Trojan
[WARNING] The file was ignored!


End of the scan: Monday, July 06, 2009 15:50
Used time: 53:12 Minute(s)

The scan has been done completely.

6702 Scanned directories
375704 Files were scanned
37 Viruses and/or unwanted programs were found
1 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
375664 Files not concerned
9298 Archives were scanned
38 Warnings
3 Notes
53821 Objects were scanned with rootkit scan
0 Hidden objects were found
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 7th, 2009, 5:18 pm

Hi jinr,
It appears that you have Recovery Console installed... or ComboFix would have reflected it missing in the earlier run... we will be using the Recovery Console in this
set of instructions... so:

Please PRINT these instructions... as you will not have access to them during some fix steps!

The infected files found in the C:\Qoobox and System Volume Information folders are not a threat to you at the moment... these are files that CombFix removed (Qoobox)
or infected files found in old System Restore Points (SRP) and we will remove these later... If you perform a System Restore, you'll reinfect the computer!

Now... I must tell you that trying to clean your machine may not be possible. There is a good possibility that the type of infection you have, infecting the various system files, is a
variant of a VIRUT polymorphic file infection. I haven't seen the "typical" indications of VIRUT but again... this may be a variant, with different indcators.
We can try to replace the 4 Windows system files infected but that doesn't mean that you would be free of infection or that other files aren't still infected. Here is the information I post when I know the machine has a Virut infection:
Virut Infection!... a Polymorphic File Infector.
"Virut" is a family of polymorphic, memory-resident, appending file infectors... meaning it is capable of modifying itself every time it runs. Viruses belonging to this family infect files with .EXE and .SCR extensions.
All viruses belonging to the Virut family also contain an IRC-based backdoor, that provides unauthorized access to infected computers.
In addition, when it infects, it will sometimes destroy the file it infected. For these reasons, you really can't truly fix Virut.

You will need to reformat and reinstall, the operating system on this machine!
Please refer to these instructions, how to perform Windows XP: Clean Install

More information: http://free.avg.com/66558
AVG Technologies wrote:
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusP ... key=143034
Network Associates wrote:
W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either: Immediately before the encrypted code at the end of the last section At the end of the code section of the infected host in 'slack-space' (assuming there is any) At the original entry point of the host (overwriting the original host code)

Because of it's backdoor functionality... You are strongly advised to do the following:
  1. Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  2. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
    If you don't mind the hassle, change all your account numbers.
  3. From a clean computer, change all your passwords
    (Internet login, your email address(es), financial accounts, PayPal, eBay, Amazon...any online activities you carry out which require a username and password).
    Do NOT change your passwords from this computer, the attacker can still get all the new passwords and transaction records.

I would strongly suggest you backup all of your valuable and personal data... (ie. documents, pictures, movies, songs, etc...)
Do NOT backup any applications or installers. Do NOT backup any .exe, .scr, .htm, .html, .xml, .zip, .rar files... as these files may be infected as well.
If you back them up...then replace or reinstall them, you will re-infect your system again.

Microsoft MVP Miekiemoes, a malware removal expert, discusses the Virut infection...here.

To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS
How do I respond to a possible identity theft and how do I prevent it
Where to backup your files...How to backup your files in Windows XP...Restoring your backups

If you have any questions, please feel free to ask.

After reading the above, if you still wish to attempt fixing this machine, please proceed as follows:

Please read these instructions carefully, before executing and perform the following steps in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem.

Step 1.
Check for files
We need to verify some files exists.
  1. Right click on the Start...button... then Select Explore...from the menu.
  2. Navigate to and find the following files
    Code: Select all
    C:\Windows\ServicePackFiles\i386\explorer.exe
    C:\Windows\ServicePackFiles\i386\lsass.exe
    C:\Windows\ServicePackFiles\i386\services.exe
    C:\Windows\ServicePackFiles\i386\winlogon.exe
  3. Please post back and let me know if all 4 files were found in the C:\Windows\ServicePackFiles\i386 folder. Could be I386 as well.

If you found all 4 files in the above step... proceed to the next step. Otherwise...<STOP> and post back.

Step 2.
Rename Bad - Copy Good Files
We create a batch file to rename the infected files and copy good versions to replace them.
It will be easier and less error prone, if we create a batch file to do this... please follow these steps:
  1. Copy all text in the quote box (below)...to Notepad.
    @ECHO OFF
    REM: Delete the c:\windows\system32\kthn.exe file while we're here.

    del /f /s /q "C:\WINDOWS\System32\kthn.exe"

    ren "C:\Windows\explorer.exe" "C:\Windows\explorer.OLD"
    copy "C:\Windows\ServicePackFiles\i386\explorer.exe" "C:\Windows\explorer.exe"

    ren "C:\Windows\System32\lsass.exe" "C:\Windows\System32\lsass.OLD"
    copy "C:\Windows\ServicePackFiles\i386\lsass.exe" "C:\Windows\System32\lsass.exe"

    ren "C:\Windows\System32\services.exe" "C:\Windows\System32\services.OLD"
    copy "C:\Windows\ServicePackFiles\i386\services.exe" "C:\Windows\System32\services.exe"

    ren "C:\Windows\System32\winlogon.exe" "C:\Windows\System32\winlogon.OLD"
    copy "C:\Windows\ServicePackFiles\i386\winlogon.exe" "C:\Windows\System32\winlogon.exe"
    del %0
  2. Save the Notepad file on your root drive ... as C:\rencopy.bat... save type as "All Files"
  3. Stop... do not run the batch file yet!!
    Now you must REBOOT your computer and choose Recovery Console from the boot menu.
    At the Recovery Console:
  4. Enter the Administrator password, if you established one... if none, press the Enter key.
  5. Enter CD C:\ ... then press the Enter key, to position you at the root drive.
  6. Type rencopy.bat then press the Enter key... to execute the batch rename and copy file.
The infected files should have been renamed and good copies used to replace them.

Please reboot your computer normally...

Step 3.
Run the Avira antivirus scan again please... posting the results in your nest reply.

Step 4.
Please include in your next reply:
  1. If you found all 4 files
  2. Let me know if Recovery Console execution was OK.
  3. New Avira scan results
Thanks,
Wingman
Last edited by Wingman on July 8th, 2009, 7:39 am, edited 1 time in total.
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 7th, 2009, 8:06 pm

I found the four files you asked about in C:\WINDOWS\ServicePackFiles\i386

I have a question about the batch file though: It says copy "C:\Windows\ServicePackFiles\explorer.exe" "C:\Windows\explorer.exe"

Is this right? Should it be C:\WINDOWS\ServicePackFiles\i386\explorer.exe like all the other lines? Or is this special?

Edit: Also, I noticed something very strange on the system: When I'm in the command line, when I press the 'tab' key, the cursor moves over to the right by a tab .. usually pressing tab makes it display the next filename in the current directory ..

Also, about the recovery console: The very first time you asked me to run ComboFix, it told me 'Warning: This machine does NOT have the Recovery Console installed!" and recommended & offered to install it for me, which I did. Sorry for not mentioning this earlier.

Thanks again for all of your help, I will read about the Virut infection
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 8th, 2009, 7:43 am

Hi jinr,
Good catch, I thought I changed that! :oops: I have corrected the code, in the original post.
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA

Re: My computer has become infected with Manson/Liser

Unread postby jinr » July 9th, 2009, 11:46 am

Alright, I created the batch file in C:\
I log into the recovery console, it asks me what system to load, the only option is 1 which is C:\WINDOWS\, so I choose that
It loads me into C:\WINDOWS\
I cd C:\, and it goes
When I type 'rencopy.bat', it says "Command is not recognized type HELP for a list of supported commands"
jinr
Banned Member
 
Posts: 22
Joined: June 29th, 2009, 7:24 am

Re: My computer has become infected with Manson/Liser

Unread postby Wingman » July 10th, 2009, 7:15 am

Hi jinr,
I guess we'll have to do it the old fashioned way... manually.

Please PRINT these instructions... as you will not have access to them in Recovery Console!

Step 1.
Restart your computer and enter Recovery Console
Enter 1 for the Windows system you want to use and press Enter
at the C:\Windows prompt... type the following commands one (1) at a time... pressing Enter after each command is entered:

del C:\WINDOWS\System32\kthn.exe

ren C:\Windows\explorer.exe C:\Windows\explorer.OLD

copy C:\Windows\ServicePackFiles\i386\explorer.exe C:\Windows\explorer.exe

ren C:\Windows\System32\lsass.exe C:\Windows\System32\lsass.OLD

copy C:\Windows\ServicePackFiles\i386\lsass.exe C:\Windows\System32\lsass.exe

ren C:\Windows\System32\services.exe C:\Windows\System32\services.OLD

copy C:\Windows\ServicePackFiles\i386\services.exe C:\Windows\System32\services.exe

ren C:\Windows\System32\winlogon.exe C:\Windows\System32\winlogon.OLD

copy C:\Windows\ServicePackFiles\i386\winlogon.exe C:\Windows\System32\winlogon.exe


When all files have been renamed and good ones copied.
Please reboot your computer normally...

Step 2.
Run the Avira antivirus scan again please... posting the results in your nest reply.

Step 3.
Please include in your next reply:
  1. Let me know if Recovery Console executions were OK.
  2. New Avira scan results
Thanks,
Wingman
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware